Skip to content

Security issue with aesbackend.go environment variable #362

New issue
New issue
Open
#389
Open
Security issue with aesbackend.go environment variable#362
#389
@Profpatsch

Description

@Profpatsch
Profpatsch
opened on Dec 6, 2020

The -encrypt option introduced in #295 allows the config file to be encrypted via the BEEHIVE_CONFIG_PASSWORD environment variable:

beehive/cfg/aesbackend.go

Lines 225 to 239 in 57a4fab

func getPassword(u *url.URL) (string, error) {
p := os.Getenv(PasswordEnvVar)
if p != "" {
return p, nil
}
if u != nil && u.User != nil {
p = u.User.Username()
if p != "" {
return p, nil
}
}
return "", errors.New("password to encrypt or decrypt the config file not available")
}

In general, using an environment variable for a password is more secure than using a command line argument, with one caveat:

You need to unset the variable after reading it. Otherwise it will leak into any process that beehive spawns directly or indirectly and any library that is used by the bees, which is a security risk.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions